Open Redirect Vulnerability in WPO365 | Microsoft 365 Graph Mailer Plugin
CVE-2025-1488

4.7MEDIUM

Key Information:

Vendor: WPo365
Status: WPo365 | Microsoft 365 Graph Mailer
Vendor: CVE Published:; 24 February 2025

Summary

The WPO365 | Microsoft 365 Graph Mailer plugin for WordPress is susceptible to an Open Redirect vulnerability across all versions up to and including 3.2. This issue arises from inadequate validation of the redirect URL provided via the 'redirect_to' parameter. As a result, unauthenticated attackers may exploit this flaw to redirect unsuspecting users to malicious websites if they can deceive them into performing a certain action. This is particularly concerning when the plugin is active but not properly configured, leaving users exposed to potential phishing attacks.

Affected Version(s)

WPO365 | MICROSOFT 365 GRAPH MAILER * <= 3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wpo365-msgraphmailer/#devel...

https://www.wpo365.com/change-log/

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 24, 2025
Vulnerability Reserved
Feb 19, 2025

Credit

Krzysztof Zając